Return receipts for email have been around for quite some time. They can
be useful in some settings where a user is willing to verify that they've
received an email without taking the time to compose a reply. However, the
return receipt depends on the user's willingness to participate in the process.
Often, for one reason or another, users do not wish to do that;
these users can simply configure their
email client to deny requests for return-mail receipts -- if, in fact, the
user's email client supports that feature at all.
There are, however, those who aren't content to depend on voluntary
responses. Rampell Software is
peddling a subscription service for nosy correspondents who want to know
whether or not their email has been read. Rampell is a company that pushes
several spyware products for MacOS and Windows that are aimed at
monitoring the use of other peoples' computers. The "DidTheyReadIt" service is
aimed at people who are determined to know whether or not their mail has
been read, and who are willing to pay for the privilege.
This, of course, has some not-so-pleasant implications for personal
privacy. While the company assures
its potential customers that it respects their privacy, nothing is
said about the privacy of the recipient who may not wish to divulge whether
or not they've read a particular email or where they've read it from. On
the company's About Us page,
they identify what kinds of people might want to find out whether an
email has been read -- including some that make DidTheyReadIt sound like a
must-have for potential stalkers:
Users of online dating services such as match.com who want to know if their
potential dates are reading their messages...or ignoring them.
It isn't particularly cheap to violate others' privacy either, at least not
when using DoTheyReadIt on a regular basis. A quarterly subscription for
the service, with the ability to track 500 messages per month, is $24.99.
To use the service, the user has to send email through DidTheyReadIt's
servers by tacking ".didtheyreadit.com" onto the recipient's email
address. DidTheyReadIt's server then tags the email with a "web bug" and
sends it on its way to the intended recipient. For the uninitiated, web
bugs are a well-known spammer trick to verify working email
addresses. The spammer includes a bit of HTML in the email that will
request an unique image name (usually a small image that is invisible to
the reader) from a remote server that tracks the hits. The image name and
email address are paired so that the spammer can identify working email
addresses with users gullible enough to open the spammer's email. When the
image is requested from didtheyreadit.com, a hit is logged and the sender
can then view the information on the DidTheyReadIt website and/or be
notified via email.
DidTheyReadIt takes the web bug idea further than the spammers do,
however. It responds to the request for the web bug image by sending a
slow stream of data back to the mail client; that stream will continue
until the receiving system resets the connection. The amount of time the
connection was allowed to run will be roughly equivalent to how long the
message was on the reader's screen, giving a sense of how seriously the
message was read.
When the service works, the amount of information provided to the sender is
quite intrusive. Not content to simply verify that a user opened an email,
DidTheyReadIt reports the number of times an email is read, how long the
recipient spent reading it, when it was
opened, the location of the reader, the IP address of the recipient at the
time the message is opened and their ISP. Not only is the recipient
(including anybody the message may be forwarded to) being
monitored in their reading habits, they are also being physically tracked
when the service is able to pair up a geographic location with an IP
address. While it's not possible for the service to report a street
address, it can narrow down the location to a city. It's easy to imagine
scenarios where this would be particularly undesirable.
Users who are even moderately knowledgeable about the way that the Web
works will have no problem blocking DidTheyReadIt from divining whether or
not they have opened an email sent through this service. Rampell's claims
of success "the vast majority of the time, upwards of 98% in
extensive testing" are a bit suspect. In fact, many users are
already protected by sane defaults in their mail clients that prohibit the display
of remote graphics in HTML email by default.
This writer had to deliberately disable the defaults in the Yahoo! and
SpamCop (which uses Horde) webmail clients to allow DidTheyReadIt to track
test emails. The tracking did not work with Thunderbird or Opera's mail
client. It goes without saying that users of mutt and Pine will easily slip
under the radar.
Furthermore, once word gets around about this service, many users
may simply opt to filter out email that passes through the DidTheyReadIt
servers altogether. Some folks might also decide to play havoc with this
service by writing scripts to call random images from
DidTheyReadIt's servers to generate false positives and render the service
useless. Ed Felten predicts
that DidTheyReadIt will not succeed in the long run:
Products like this sow the seeds of their own destruction, by triggering
the adoption of technical measures that defeat them, and the creation of
social norms that make their use unacceptable.
One would hope that the use of such a service would be considered
"unacceptable" by most people already. Whether or not that is true,
however, the use of free software for crucial tasks like email gives users
the upper hand against this sort of service. There is, after all, nothing
that forces us to tolerate a mail system which supports this kind of
monitoring. If only all of our email problems were so easy to solve.
A buffer overflow exists in three Firebird database binaries
(gds_inet_server, gds_lock_mgr, and gds_drop) that is exploitable by
setting a large value to the INTERBASE environment variable. An attacker
could control program execution, allowing privilege escalation to the UID
of Firebird, full access to Firebird databases, and trojaning the Firebird
binaries. An attacker could use this to compromise other user or root
accounts. See also this bug
report.
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string.
Jaguar discovered a vulnerability in one component of xpcd, a PhotoCD
viewer. xpcd-svga, part of xpcd which uses svgalib to display
graphics on the console, would copy user-supplied data of arbitrary
length into a fixed-size buffer in the pcd_open function.
A memory leak has been discovered in mod_ssl that may be triggered by
sending normal HTTP requests to the Apache HTTPS port. An attacker can
exploit this vulnerability to consume all memory available in the server,
thus causing a denial of service condition. This problem has been fixed in
Apache 2.0.49.
Versions of apache 1 through 1.3.30 include several minor vulnerabilities, including the writing of unescaped data to the error log file, a denial of service vulnerability, and a parsing failure in Allow/Deny rules on big-endian, 64-bit platforms. See the apache 1.3.31 announcement for details.
CVS (through version 1.11.15 or 1.12.7) contains a remotely exploitable heap overflow vulnerability; see this advisory from Stefan Esser for details. If you are running cvs with the "pserver" protocol, a quick upgrade is recommended (dropping pserver is also a very good idea for security-conscious sites).
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
Evgeny Demidov discovered a potential buffer overflow in a Kerberos 4
component of heimdal, a free implementation of Kerberos 5. The
problem is present in kadmind, a server for administrative access to
the Kerberos database. This problem could perhaps be exploited to
cause the daemon to read a negative amount of data which could lead to
unexpected behavior.
The icecast server has a read error in its authorization code which can enable a denial of service attack; upgrading to version 2.0.1 fixes the problem.
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
racoon does not check the length of ISAKMP headers. Attackers may be able
to craft an ISAKMP header of sufficient length to consume all available
system resources, causing a Denial of Service. This advisory contains additional
details.
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
iDEFENSE identified a vulnerability in the Opera Web Browser that could
allow remote attackers to create or truncate arbitrary files. The KDE team
has found that similar vulnerabilities exists in all version of KDE, up to
KDE 3.2.2 inclusive. See this advisory for
more information.
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue.
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release.
A locally exploitable integer overflow has been found the multicast code
of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A
successful exploit could lead to full superuser privileges.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
LHA is an archiving and compression utility for LHarc format archives. Ulf
Harnhammar discovered two stack buffer overflows and two directory
traversal flaws in LHA. See this advisory+patch for more details.
CAN-2004-0234: An attacker could exploit the buffer overflows by creating a
carefully crafted LHA archive in such a way that arbitrary code would be
executed when the archive is tested or extracted by a victim.
CAN-2004-0235: An attacker could exploit the directory traversal issues to
create files as the victim outside of the expected directory.
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue.
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability.
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information.
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
Steve Grubb found some problems in the passwd program. Passwords given to
passwd via stdin are one character shorter than they are supposed to be.
He also discovered that pam may not have been sufficiently initialized to
ensure safe and proper operation. A few small memory leaks have been fixed
as well.
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
A portability workaround was applied in version 1.2.9 of the FTP server ProFTPD. As a side-effect, CIDR based
(aaa.bbb.ccc.ddd/NN) ACL entries in "Allow" and "Deny" directives act like
an "AllowAll" directive and so FTP clients are granted access to files and
directories although the server configuration might explicitly deny this.
See this bug
report.
See the rsync homepage for the
April 2004
advisory: "There is a security problem in all versions prior to
2.6.1 that affects only people running a read/write daemon WITHOUT using
chroot. If the user privs that such an rsync daemon is using is anything
above "nobody", you are at risk of someone crafting an attack that could
write a file outside of the module's "path" setting (where all its files
should be stored). Please either enable chroot or upgrade to 2.6.1. People
not running a daemon, running a read-only daemon, or running a chrooted
daemon are totally unaffected."
Versions of the subversion source management package up to and including 1.0.2 suffer from a remotely exploitable buffer overflow vulnerability in their date parsing code; see this advisory for details. "Exploiting this vulnerability on not heavily protected servers is trivial
even for beginners, therefore it is strongly recommended to update
immediately."
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
Steve Grubb discovered two potential issues in the utempter program:
If the path to the device contained /../ or /./ or //, the program
was not exiting as it should. It would be possible to use something like
/dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to
another important file, programs that have root privileges that do no
further validation can then overwrite whatever the symlink pointed to.
Several calls to strncpy without a manual termination of the string.
This would most likely crash utempter.
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
A vulnerability exists in xine-lib where playing a specially crafted Real
RTSP stream could run malicious code as the user playing the stream. More
details can be found in this
advisory. The problem has been fixed in xine-lib 1-rc4.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
![[DidTheyReadIt report]](/images/ns/didtheyreadit_thumb.jpg)